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Abstract 

Model  checking  is  a  technique  that  has  been  successfully 
applied  for  the  validation  and  verification  of  hardware 
specifications  and  communication  protocols.  In  mission- 
critical  systems  of  NASA  and  the  DoD,  various  mobile 
devices  generate  information  dynamically,  and  their  state 
changes  with  time.  Most  often,  a  situation  serves  as  a 
trigger  for  a  new  situation.  Therefore,  it  is  necessary  to 
extend  existing  model  checking  methods  and  tools  in  order 
to  apply  them  for  the  validation  and  verification  of 
situation-aware,  mission-critical  applications  such  as  DoD 
command  and  control  systems  or  the  Navy’s  Total  Ship 
Computing  Environment.  However,  there  are  several 
problems  to  be  overcome  before  these  techniques  become 
practical,  such  as  overcoming  the  state  explosion  problem 
and  adapting  the  V&V  systems  and  algorithms  to  this 
application  area. 

In  this  paper,  we  propose  a  new  technique,  founded  on 
combining  existing  techniques  in  theorem  proving  and 
model  checking  to  extend  the  application  area  of  existing 
pure  model  checking  methods.  This  paper  also  introduces 
state  space  reduction  methods  based  on  abstraction  that 
ameliorate  the  state  explosion  problem.  Future  distributed 
real-time  and  embedded  system  must  necessarily  be  highly 
adaptable,  secure,  and  reliable.  Existing  system 
development  techniques  therefore  need  to  be  extended  so 
that  future  systems  have  the  capability  to  meet  these  new 
system  requirements. 

1.  Motivation 

In  mission-critical  systems  such  as  DoD  Command  and 
Control  Systems  (DCCS)  or  the  Navy’s  future  Total  Ship 
Computing  Environment  (TSCE),  it  is  foreseen  that  tens  of 
thousands  of  dynamically  configurable  systems  will 
collaborate  to  create  and  process  information  in  a  secure 
and  adaptable  manner.  An  emerging  new  technology  that 
could  be  used  to  design  and  build  such  applications  is 
known  as  Situation-Aware  Middleware  (SAM).  This 
dynamically  configurable  middleware  will  include 
functionality  to  support  information  dissemination  to  users 
in  a  dependable,  yet  transparent  manner.  The  middleware 
must  provide  an  open,  standards-compliant,  ubiquitous 
communication  channel  between  situation-aware 
applications  and  its  architecture  must  be  lightweight. 
However,  since  future  systems  will  operate  in  a  dynamic 
and  situation  changing  environment,  this  increases  the 
difficulty  of  validation  and  verification  of  such 
applications.  In  general,  validation  and  verification  (V&V) 
of  current  day  software  systems  is  very  difficult  because  the 


number  of  reachable  states  of  such  systems  is  very  large. 
Therefore,  when  applied  to  these  systems,  conventional 
tools  fail  to  complete  the  verification  task,  and  usually 
terminate  prematurely  after  consuming  all  available  system 
resources.  Therefore,  model  checking  has  rarely  been 
applied  for  the  analysis  of  software  specifications  even 
though  it  has  been  successfully  used  for  the  validation  and 
verification  of  device  drivers  and  communication  protocols. 
In  the  past,  scalability  was  achieved  by  the  use  of  efficient 
representation  techniques,  such  as  Binary  Decision 
Diagrams  (BDDs),  that  are  a  canonical  representation  for 
boolean  formulae  [1],  to  symbolically  represent  the  state 
space  of  a  system.  However,  this  technique  has  limited 
applicability  for  software  specifications,  which  include 
variables  of  richer  data  types  than  Boolean.  For  instance, 
common  data  types  include  enumerations,  and  integer  and 
real  types.  In  this  paper,  we  propose  an  integrated 
validation  and  verification  system,  which  we  call  the 
Extended  Validation  &  Verification  System  (EVS),  which 
is  designed  to  overcomes  some  of  the  difficulties  in 
applying  model  checking  to  situation-aware  applications. 
EVS  is  based  on  two  major  ideas:  One  idea  is  to  combine 
model  checking  with  theorem  proving  methods  to  achieve 
scalability  and  ease-of-use.  Another  is  to  automatically 
apply  property-driven  abstraction  methods  in  order  to 
derive  a  simpler  specification  that  will  be  amenable  to 
automated  analysis. 

In  the  next  section,  we  discuss  details  of  the  Situation 
Aware  Middleware  architecture  used  to  develop  situation- 
aware  applications.  In  Section  3,  we  discuss  EVS  and  its 
application  to  situation-aware  applications,  followed  by  the 
conclusion  in  Section  4. 

2.  Situation- A  ware  Middleware  Architecture 

The  need  for  a  conceptual  architecture  for  Situation-Aware 
Middleware  based  on  Reconfigurable  Context-Sensitive 
Middleware  (RCSM)  is  proposed  in  [2],  Ubiquitous 
applications  need  to  be  aware  of  several  contexts  in  order  to 
be  able  to  adaptively  communicate  with  each  other  across 
different  network  environments,  such  as  mobile  ad-hoc 
networks,  the  Internet,  or  even  mobile  phone  networks. 
However,  existing  context-aware  techniques  often  become 
inadequate  in  these  applications  where  combinations  of 
multiple  contexts  and  users’  actions  need  to  be  analyzed 
over  a  period  of  time.  Situation-awareness  in  application 
software  is  considered  a  desirable  feature  in  order  to 
overcome  this  limitation.  In  addition  to  being  context- 
sensitive,  situation-aware  applications  can  respond  to  both 
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current  and  historical  relationships  between  specific 
contexts  and  device-actions. 

Figure  1  shows  how  all  of  RCSM’s  components  are 
layered  inside  a  device.  The  Object  Request  Broker  of 
RCSM  (R-ORB)  assumes  the  availability  of  reliable 
transport  protocols;  one  R-ORB  per  device  usually  suffices. 


Figure  1.  Situation- Aware  Middleware  Architecture 


The  number  of  ADCs  (Adaptive  Object  Containers) 
depends  on  the  number  of  context-sensitive  objects  in  the 
device.  ADCs  periodically  collect  the  necessary  “raw 
context  data”  through  the  R-ORB,  which  in  turn  collects 
data  from  sensors  and  the  operating  system.  Initially,  each 
ADC  registers  with  the  R-ORB  to  express  its  needs  for 
contexts  and  publishes  the  corresponding  context-sensitive 
interface.  RCSM  is  called  re-configurable  because  it  allows 
addition  or  deletion  of  individual  ADCs  during  runtime  (to 
manage  new  or  existing  context-sensitive  application 
objects)  without  affecting  other  runtime  operations  inside 
RCSM.  An  example  of  a  SmarlClassroom  is  presented  in 

[3], 

3.  Validation  and  Verification  Framework 

In  Section  2,  the  situation-aware  middleware  architecture, 
which  will  be  the  basis  for  validation  and  verification,  was 
introduced.  In  this  section,  we  describe  the  architecture  of 
the  EVS,  and  the  aspects  of  the  EVS  related  to  the  proposed 
target  middleware  model  with  respect  to  the  aspects  of 
situation-awareness,  real-time,  and  security. 

During  model  checking,  the  state  spaces  of  software 
systems  are  extremely  large.  Therefore,  in  current 
computing  environments,  applying  model  checking  to  such 
systems  is  often  infeasible.  Traditionally,  there  have  been 
two  main  approaches  to  solve  this  problem,  one  using 
abstraction  techniques  and  the  other  using  partial  order 


reduction  methods.  The  idea  of  applying  abstraction  was 
first  introduced  by  Clarke  et  al  [4].  In  this  paper,  the 
authors  demonstrate  how  abstract  finite  state  machines  may 
be  extracted  directly  from  finite  state  programs,  using  a 
method  similar  to  those  used  in  abstract  interpretation.  The 
partial  order  reduction  method  consists  of  constructing  a 
reduced  state  graph.  The  full  state  graph,  which  may  be  too 
big  to  fit  in  memory,  need  never  be  constructed  [5],  This 
method  is  a  good  fit  for  asynchronous  system  verification. 

The  system  EVS  has  two  main  capabilities,  one  to 
support  abstraction  mechanisms  to  reduce  the  state  space 
and  the  other  is  to  combine  theorem  proving  and  model 
checking.  As  shown  in  Figure  2,  EVS  consists  of  the 
following  three  sub-components: 


Figure  2:  Our  Validation  and 

Verification  Framework. 

Legends : 

SS:  Situation  Specification 
AM:  Abstraction  Mechanism 
QoSmon:  QoS  monitoring 
TEVS:  Translator  EVS 
EVS:  Extended  V&V  System 
RG:  Report  Generator 

3.1  Abstraction  Mechanisms  Generating  Component: 

The  inputs  to  this  component  include  specifications  of  all 
the  situations,  in  a  formal  notation  called  the  situation- 
aware  contract  specification  language,  SA-CSL  [6], 
Conventional  model  checking  and  theorem  proving  tools 
are  mainly  used  to  specify  and  check  safety  properties. 
Therefore,  in  order  to  check  that  situation-awareness,  real¬ 
time,  and  security  Quality  of  Service  (QoS)  requirements 
are  met  by  the  middleware  specified  in  SA-CSL,  there  is  a 
need  to  extend  their  capabilities.  Our  proposed  extensions 
can  reduce  redundant,  unnecessary  constraints  related  to 
situation-awareness,  and  real-time  and  security  constraints. 
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These  abstraction  mechanisms  make  the  system  EVS 
(discussed  in  the  sequel)  to  be  more  effective  and  efficient. 

3.2  Extended  Validation  and  Verification  System: 

The  two  major  problems  addressed  by  the  system  EVS  are 
the  state  explosion  problem  during  model  checking  and  the 
need  for  user  ingenuity  and  guidance  in  the  case  of  theorem 
proving.  A  two-pronged  approach  is  being  used  to  tackle 
these  issues:  (1)  Use  of  the  invariant  checker  Salsa  which 
uses  a  combination  of  theorem  proving  and  model  checking 
techniques  to  provide  scalability  and  ease-of-use.  (2) 
Automatic  property-driven  abstraction  methods  to 
transform  a  specification  expressed  in  SA-CSL  into  a 
simpler  specification  that  is  amenable  to  automated 
analysis.  Additionally,  a  compliance  checker  (CC)  proves 
compliance  of  the  specified  situation-aware  middleware 
and  the  real-time  constraints,  the  security  policies,  and  QoS 
requirements  expected  of  the  middleware.  By  ensuring  that 
these  properties  are  satisfied  and  that  the  middleware 
behaves  as  specified,  we  address  the  issue  of  integrity  of 
the  generated  middleware.  Generally,  this  approach  of 
validation  and  verification  requires  formal  definitions  using 
a  Kripke  structure  to  model  the  situation-aware  application. 
Let  AP  be  a  set  of  atomic  propositions.  A  Kripke  structure 
over  AP  is  a  four  tuple  K  =  {AP,  S,  A,  L}  where  AP  is  a  set 
of  atomic  propositions  that  hold  in  a  specific  system  state,  S 
is  a  finite  set  of  situations,  A(AcZiSx,S)isa  finite  set  of 

actions  and  L  ( S  — >  2  F  )  is  a  labeling  function  that  labels 
each  situation  with  the  set  of  atomic  propositions  that  hold 
for  that  situation. 

3.3  Translator  for  the  Extended  Validation  and 
Verification  System  (TEVS): 

The  Translator  for  the  Extended  Validation  and  Verification 
System  (TEVS)  is  an  interface  between  the  Abstraction 
Mechanism  and  EVS.  We  plan  to  develop  the  system  EVS 
and  its  components  by  reusing  existing  components  and 
tools.  Therefore,  the  translator  will  serve  as  the  “glue” 
code  that  will  serve  as  the  interface  to  this  diversity  of 
systems  and  notations. 

4.  Conclusion 

In  this  paper,  we  describe  the  architecture  and  design  of  an 
extended  V&V  system  for  situation-aware  middleware 
architectures  for  mission-critical  applications.  The  benefits 
of  using  our  framework  are:  (1)  Ease  of  development  of 
situation-awareness  applications  and  (2)  Ability  to  validate 
and  verify  them  by  the  use  of  efficient  techniques  to  deal 
with  the  state  space  explosion  problem  by  the  use  of  a 
combination  of  abstraction  methods  and  invariant  checking. 
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